How People Broadcast Their Locations Without Meaning To

wjousts writes "Smartphones include geotagging features that many people aren't aware of, MIT's Technology Review reports. And it's not just in the obvious places: 'For example, by looking at the location metadata stored with pictures posted through one man's anonymous Twitter account, the researchers were able to pinpoint his likely home address. From there, by cross-referencing this location with city records, they found his name. Using that information, the researchers went on to find his place of work, his wife's name, and information about his children.'"

Duh.

[_0xd0ad]

Anyone who's been to 4chan should know this.

Re:Duh.

[_0xd0ad]

I might as well also point out that 4chan strips the EXIF data from uploaded images for exactly this reason.

Re:

[ThatsMyNick]

Not to forget, Facebook strips EXIF too.

Re:Duh.

[_0xd0ad]

True, although Facebook has always stripped EXIF. 4chan didn't use to strip EXIF.

Facebook also compresses the images all to shit, too, although they recently made it possible to let people download a higher-quality version.

Re:

[ottothecow]

Well...people who care about the quality of their photos often use something like flickr. Not that I don't put my nice photos on facebook too...I just don't expect much and prefer quick loading files that I can flip through as fast as my eye can register that it is another random facebook pic that I don't care about. I would imagine facebook trims all metadata as a way to speed up loading (millions of pictures turns into a lot of metadata considering how much stuff some cameras include)

Sites like flickr

Re:

[Kamiza Ikioi]

With Facebook always stripping and 4chan not always stripping, we can reasonably conclude without any pictures at all that Facebook works at a strip club.

By cross referencing the fact that "4chan didn't use to strip", we can also reasonably conclude that Facebook is a gateway to stripping.

And from there, we can reasonably conclude that Facebook, being the more mature stripper, probably holds the leash attached to the dog collar on 4chan's neck when they strip together on stage.

MIT's report isn't so impressi

Re:

[_0xd0ad]

I haven't been there in a while, but it was probably 6 months ago, maybe less. Then again, it might have only been on - ahem - certain boards. Maybe I'll check tonight.

Re:Duh.

[wjousts]

Considering the proportion of people that have been on 4chan versus the general population, that's not particularly helpful.

Re:Duh.

[_0xd0ad]

Considering the proportion of people that have been on 4chan versus the people who'd publicly admit to it, it might be more helpful than you'd expect.

Re:

[geekmux]

Considering the proportion of people that have been on 4chan versus the people who'd publicly admit to it, it might be more helpful than you'd expect.

Considering the fact that most of the population doesn't know about "breaking news" related to the computing world(specifically security) until they hear about it on the evening news, and the fact that news outlets can't even spell 4chan, much less know what the hell it is, I'd say the overall level of ignorance pretty much remains the same. Doubt you'd find even 1 person out of 100 that knows what EXIF data is anyway, they're far too busy tweeting about their picture collection and posting it for the worl

Re:

[wjousts]

Doubt you'd find even 1 person out of 100 that knows what EXIF data is anyway, they're far too busy tweeting about their picture collection and posting it for the world to see anyway, they don't have time to be concerned about such trivial things as privacy anymore.

I think you're being a little unfair there. It's not that they aren't concerned, it's that they don't even know that they don't even know what EXIF is.

Re:

[geekmux]

Doubt you'd find even 1 person out of 100 that knows what EXIF data is anyway, they're far too busy tweeting about their picture collection and posting it for the world to see anyway, they don't have time to be concerned about such trivial things as privacy anymore.

I think you're being a little unfair there. It's not that they aren't concerned, it's that they don't even know that they don't even know what EXIF is.

Unfair? Nah, not really. Given peoples propensity to post every minute detail of their personal lives on Farcebook and Twitter for the world to see, I'd say there are far more people who simply don't care anymore about privacy.

Re:

[wjousts]

That's a bullshit attitude. Why should some non-technical person even think that their phone might be tagging their photos with location information. It's far from obvious and far from intuitive. If your technology requires that much effort to understand it's a failure of your technology, not your users. It's attitudes like yours that leads to unusable nonsense such as...well...Linux ; )

Re:Duh.

[Hultis]

You do realize 4chan's Alexa Traffic Rank is 632, right? Compare this to Slashdot, which is ranked 1296. 4chan isn't exactly the well-kept secret some people want to think of it as.

Re:

[Labcoat Samurai]

I wonder if Slashdot's Alexa rank is lower because Slashdot users tend to not want to have a damn spyware toolbar on their browser :)

Re:

[mcmonkey]

While the hidden data in image files is interesting, the real news here is there are people left who don't mean to broadcast their location.

I suspect these researchers started with a picture of a man standing in front of his house, with the house number visible, and a street sign in the background, and a sign on the house reading "Welcome to the home of John and Jane Smith," while the man wears a "Hi, My Name is John Smith" name tag.

And there were able to decode the image meta-data to discover they had a pi

Re:

[bberens]

Pictures taken on your phones contain GPS information. So most people posting pics online of their kids or whatever are giving away the GPS location. If there's a bunch at exactly the same GPS location you can guess that it's the person's house.

Re:

[icebike]

You don't need GPS information to get in trouble.

Shortly after Gulf II, during the occupation phase there appeared several images of combat missions, including firefights, tank fire, etc, posted on various sites by soldiers who withheld their names. Many of these had full EXIF info, many of them even had the name of the camera owner of a high end DSLR (which I didn't even think an authorized in a war zone). (Canon as I recall).

Being secretive enough to snap his buddies only from the back, and not give his

Re:Duh.

[Registered Coward v2]

In other news, I have a picture of someone standing in front of the Eiffel Tower. The image meta-data indicates the person was in Paris at the time.

You've revealed even more info with your post - you do not work for the USPS. If you did, the meta-data would indicate you are in Las Vegas.

Re:

[_0xd0ad]

In other news, I have a picture of someone standing in front of the Eiffel Tower. The image meta-data indicates the person was in Paris at the time.

Well, I've seen pictures posted from someone's iPhone taken in their bedroom that contained the GPS coordinates of their house. Unlike the Eiffel Tower, their bedroom wasn't spectacularly distinctive. I'd never have known where they lived if it wasn't for the GPS metadata.

Re:

[profplump]

You couldn't get a detailed location from that picture (or at least you didn't know -- there actually might be a good deal of information available from things like the angle of the sun/etc.). But you did get a lot of other potentially private information about the layout and contents of the bedroom. The point is that publishing photos to the Internet inherently reduces your privacy, and the possibility of location stamps is only a small part of that. Focusing on EXIF data ignores the larger problem -- we s

Re:

[RockDoctor]

I've seen pictures posted from someone's iPhone taken in their bedroom that contained the GPS coordinates of their house.

Given that GPS devices generally don't work indoors (and often don't work under significant foliage), this begs the question of whether associated cameras report (in their EXIF data, or whatever) the last valid GPS location received, or a "rogue value" (e.g. Long 361, Lat 361), or a marine location off the west of Africa (Long 0, Lat 0).

I'm sure commenters won't read this far, but I'm th

Re:

[_0xd0ad]

Most likely it was the last fix made by the device from somewhere in the vicinity of their front door.

Re:

[RockDoctor]

somewhere in the vicinity of their front door.

s/their front door/the last time that the GPS module saw enough sky for long enough to update it's position/

Which, given that GPS is, as I said, often affected by foliage, being under a roof, to a significant degree even by cloudy/ rainy weather ... could well be a very different location to what gets written into the time-position database. And of course, there is no "right" answer, so pretty much every device's programmer is free to choose how to implement th

Re:

[_0xd0ad]

Considering that they work pretty well in moving vehicles (hence GPS mapping on smartphones), it's a fair bet that it held its fix right up to their front door.

Re:

[RockDoctor]

OIC : your worldview includes an expectation of seeing sky from your front door. That's an interesting comment in itself.

So, have you ever lived in a building with several hundred other households? Where it could easily be 10 minutes walk (waiting for elevators, etc) between your GPS device (SatNav, whatever) losing sight of the sky and you arriving at your domicile (in the sense that a search warrant would be limited to one such premises).

I'm planning on consuming beer next Friday with one of our programm

Re:

[_0xd0ad]

No, my "worldview" (isn't the right word, but as it's the word you picked, we'll go with it) includes an expectation that when someone posts pictures online showing themselves in their house and the pictures are GPS-tagged with approximately the front yard of a typical residential dwelling place, it's a fair bet that they live there.

Re:

[jd2112]

The metadata was faked. The picture was taken by the replica in Las Vegas. On the other hand if the USPS had bothered to check metadata it might have saved them some embarrasment.

Privacy disinterest come home to roost

[dtmos]

The lack of interest in personal privacy is probably the 21st Century's social movement that most surprised me. If someone had told me in 1991 that in 20 years people would want to publish their personal photographs to the world, and announce to everyone literate when they would be out of town, I would have said they were nuts: They're obviously risky behaviors in which no thinking person would engage.

How wrong I was.

Re:

[0123456]

Surely Microsoft have conclusively proven that most people value convenience far more than security?

The big problem is that companies add these 'convenience' features with no warning and no easy way to remove them. Having to manually strip exif data from every image is painful, to say the least.

Re:Privacy disinterest come home to roost

[ThatsMyNick]

mogrify -strip *.jpg will do!

Re:

[PReDiToR]

exiv2 rm *

* because there might be a mixture of images that I'm due to upload somewhere or other.
From my camera (CHDK [wikia.com] FTW!) they are all .JPG or .DNG.

Re:Privacy disinterest come home to roost

[thePowerOfGrayskull]

Surely Microsoft have conclusively proven that most people value convenience far more than security?

The big problem is that companies add these 'convenience' features with no warning and no easy way to remove them. Having to manually strip exif data from every image is painful, to say the least.

The big problem is more that most consumers don't realize that they're giving up security when they give up privacy - as with GP's example, telling the world when their house is vacant, and even giving the world their regular out-of-house patterns.

Re:

[Darinbob]

I didn't even know this stuff existed. I own nothing with a GPS, especially not a GPS in a phone or camera. Maybe there's a way I could laboriously enter my name into my digital camera but I don't even see the point. I'm so backwards I still don't even see the point of wanting random strangers to see your photos or know what you had for lunch.

So which is it: the manufacturers are insane for adding this stuff, or the customers are insane for wanting it?

Re:

[jd]

It's worse than that. Based on the somewhat heated discussion I had in which I was slammed for stating that privacy and security are an aspect of freedom, I'd have to say that not only do people value convenience far more than security, they regard security as a major liability,

Re:

[Anonymous Coward]

Most people don't intend to post pics with geo-information tagged in it. Cameras starting adding the data as the "default" option a couple years ago, and no one (except nerds) took notice. So now we have millions of pictures floating around with lat/long data encoded in them. I couldn't believe cameras chose to embed the data automatically -- that's where the real disbelief is. Humans probably would turn it off if they knew it was on.

Re:Privacy disinterest come home to roost

[sglewis100]

Most people don't intend to post pics with geo-information tagged in it. Cameras starting adding the data as the "default" option a couple years ago, and no one (except nerds) took notice. So now we have millions of pictures floating around with lat/long data encoded in them. I couldn't believe cameras chose to embed the data automatically -- that's where the real disbelief is. Humans probably would turn it off if they knew it was on.

Oh please. People check into FourSquare or Facebook religiously, and tweet that they are leaving for vacation, and then come home and post pictures for the world to see. The problem isn't that they are unaware their location can be tracked. It's that they are proud to broadcast it. Actually problem is the wrong word for me to use... they don't see it as a problem.

Re:

[Nerdfest]

tweet that they are leaving for vacation

Isn't relying on people not knowing you're on vacation the real life version of "security through obscurity"? There are similarities at least.

Re:

[_0xd0ad]

Yes, but so is not having your SSN tattooed on your forehead.

Re:

[Jason Levine]

There's a difference between telling your neighbors "We'll be out of town over the weekend, could you keep an eye on our house for us" and telling the entire Internet "We're leaving our house vacant this weekend and, by the way, here's a geotagged photo of our kids playing in the backyard." Just because Security Through Obscurity doesn't work in some instances doesn't mean it is a bad idea in all instances. Similarly, just because openness is a good idea in some instances, doesn't mean it is a good idea i

Doesn't it become "safety in numbers"

[NotQuiteReal]

If there are a statistically significant number of numskulls, security-wise, doesn't that ironically make it somewhat "safe"?

If there are lots of "targets" any one poster's odds of being hit is less.

I suspect burglary is largely a crime of convenience and there is not a lot of high tech "casing the joint" kind of work going on.

Personally, I don't post any clues about my life, but I am just trying to be objective here.

Re:

[Adrian Lopez]

Oh please. People check into FourSquare or Facebook religiously, and tweet that they are leaving for vacation, and then come home and post pictures for the world to see.

There's a difference between data people choose to share and data they share without knowing they are doing so. Guess which one GP is concerned about.

Re:

[sglewis100]

I wasn't concerned with one poster. I was replying to a post that mentioned "most people", not "me specifically".

Re:

[dtmos]

Actually, I'm concerned about both, since I consider them to be the same issue. A thoughtful person minimizes the amount of his personal data he makes public not only for the reasons he knows about, but also because he can reasonably expect that making his data public may be to his detriment in ways of which he is unaware: He knows that he is not omniscient, and that technology advances over time, so that things impractical or uneconomic today may be both trivial and profitable (if only to a criminal) tom

Re:

[sexconker]

Quoting an entire post is unnecessary and stupid. You have been warned.

  Nobody cares about AC posts.

No exceptions.

Except for exception you didn't expect.

Yes, I'm referring to... ...the Spanish Inquisition!

Re:

[swillden]

I like having the geo-location metadata embedded in my photos. Services like Facebook and Twitter really should sanitize photos by removing most, if not all, of the EXIF data by default, though.

Re:

[element-o.p.]

Or at least provide a checkbox on the upload page that lets you turn the EXIF data on and off.

Personally, I kind of like having EXIF data on *some* of the photos I post -- for example, if I take a morning cruise around the mountains where I live on my motorcycle, I don't see the problem with posting a photo to Picassa with EXIF data of where I was at. In fact, sometimes, that's kind of the point: "here's something nifty I found, and here's where it's at so you can find it, too!" On Picassa, I

Re:

[Anonymous Coward]

And yet, those very risky actions become fairly safe, based on the sheer number of people doing it. As they mention in the article, the sheer volume of information available makes it impossible to keep up with everyone. If someone wants to pick out one person from the stream, they face a very difficult tactic. It becomes Zebra security--having identified a target, there is nothing that gives that target much security. But as long as you are in the herd, it's likely not cost effective to try and pick som

Re:

[PPH]

But as long as you are in the herd, it's likely not cost effective to try and pick someone off.

Until someone develops some AI to mine all this data for the weakest members of that herd. That's how lions hunt. They don't go looking for one particular zebra. They just spot the one who stands out as being just a bit slower than the rest. Child molesters work in much the same manner. They have developed something akin to a sixth sense that enables them to pick out the vulnerable individuals (one that will freeze rather than scream and aim a kick at the nuts). I predict the development of neural net apps

Re:

[140Mandak262Jamuna]

Until someone develops some AI to mine all this data for the weakest members of that herd. That's how lions hunt. They don't go looking for one particular zebra. They just spot the one who stands out as being just a bit slower than the rest.

All the lions need is really a marker for a particular zebra. The whole idea of black and white pattern of Zebra is to confuse the lions about where one Zebra ends and another Zebra begins in the visual field of the lions. So the lions keep chasing the entire herd till one of the tire or stumble. Then they focus on that zebra.

But when the researchers tagged zebras with collars or markers they found the marked zebra gets killed within a week, often within two days. No amount of washing off, no amount of c

Re:

[smellotron]

Do you have a reference for that zebra-marking research? A five-minute google exercise didn't reveal anything, and I'm interested.

Re:

[140Mandak262Jamuna]

I have been trying to find the reference again, but I am not able to find it. Definitely will post it when I find it. I will ask in Pandas Thumb. That is the watering hole for many field biologists.

Re:

[140Mandak262Jamuna]

Googling turned this up. It is more of a corroboration than a research reference. The book appears to be a general life-philosophy kind of book. http://books.google.com/books?id=Skno0ivxx0IC&pg=PT105&lpg=PT105&dq=marked+zebra+gets+killed&source=bl&ots=zcBFrlxfiP&sig=DMKe7qifVt9RGh37DQp9r7hOXXg&hl=en&ei=02q0TfzxDJGEtgfUppjqDg&sa=X&oi=book_result&ct=result&resnum=5&ved=0CDQQ6AEwBA#v=onepage&q&f=false [google.com] Will continue looking for the citation. But may

Re:

[clang_jangle]

That's not quite the way it works. You end up on a list -- everyone inevitably does, unless you live "underground" -- a research company searches databases for your info, which leads them to more info...

Re:

[_0xd0ad]

And yet, those very risky actions become fairly safe, based on the sheer number of people doing it.

"Safe" in the same sense that statistically speaking nobody wins the lottery. Yet people still play...

Re:

[icebike]

And yet, those very risky actions become fairly safe, based on the sheer number of people doing it.

"Safe" in the same sense that statistically speaking nobody wins the lottery. Yet people still play...

Also safe in the sense that not everyone is interesting, especially to the would-be stalkers.

But the good looking woman who posts pics from around her home HAD BETTER be aware of
geotagging defaults of her cell phone.

Not everyone needing to take these precautions knows about this issue. And the techno-ditz who got an iphone from daddy
is probably most at risk.

I geotag all my travel photos. I sometimes whip out my cell and take the same shot I just took with my DSLR just so that
I can manually geotag the high

Researchers?

[93 Escort Wagon]

For example, by looking at the location metadata stored with pictures posted through one man's anonymous Twitter account, the researchers were able to pinpoint his likely home address. From there, by cross-referencing this location with city records, they found his name. Using that information, the researchers went on to find his place of work, his wife's name, and information about his children.

They may be calling themselves "researchers", but it's pretty obvious they're just a bunch of really creepy dudes.

Re:

[robot256]

They may be calling themselves "researchers", but it's pretty obvious they're just a bunch of really creepy dudes.

How did they know the anonymous feed was a man? They were probably hoping it was a chick, and got pissed that it wasn't and started stalking the guy.

Re:

[Anonymous Coward]

They may be calling themselves "researchers", but it's pretty obvious they're just a bunch of really creepy dudes.

I didn't know there was a difference.

Re:

[Nehmo]

The non-identifying "researchers", the non-specific "city records", and the rest of the vagueness ending with the scary "information about his children" all mean this really didn't happen. It was just a plausible set of occurrences the author made up for the article. There are a number of steps in the described process that aren't sure. It's not always easy to find someone's employer from their name, for example.

Re:

[_0xd0ad]

Um, are you unaware that you can look up the city records for any address and find out who owns the deed to the property? Google and/or the White Pages are useful tools too.

Re:

[wjousts]

Did you even bother to read TFA?

During a presentation at the computer security conference Source Boston, Ben Jackson of Mayhemic Labs and Larry Pesce, a senior security consultant with NWN, described the way photos taken by many phones are routinely encoded with latitude and longitude tags.

Emphasis mine. So there goes your "non-identifying" researchers.

To make people aware of the dangers of this data, Jackson and Pesce launched a site called I Can Stalk U [icanstalku.com], which searches Twitter for posts that reveal locati

Re:

[icebike]

Seriously, why would you even visit this site?

The mere fact that you did, gives them the first bunch of information to locate you, your IP, Browser info, and potentially any un-secure cookies on your machine.

Re:

[yahwotqa]

You should be safe, as long as you checked their twitflicksquarebook profile to make sure they were gone for vacation, and as long as you did not take a picture of yourself giving thumbs-up to the camera while breaking in. :)

Interesting

[kitsunewarlock]

Although they claimed complete anonymity (and they were probably right since they were just measuring waves and not recording them), our local news-radio station was going on and on about how they were tracking traffic near Obama to check for non-disclosed road closures by tracking cell-phones--specifically finding areas where cellphones in roads suddenly stop and cluster.

Re:

[icebike]

Google maps with the traffic layer turned on.
Its in every smartphone, and its pretty accurate, with no discernible delay. You can watch concert and ball game induced traffic slugs in nearly real time.

But road closures can not be distinguished from mere lack of traffic, and most of the time president induced closures are designed to route around rather than hold people captive for long periods.

What really sucks is when they shut down an entire airport and sometimes an entire cities just so that the presiden

Sigh of relief...

[microcentillion]

My G2 hasn't been geotagging my photos. Unfortunately for the gal I've been chatting with from Craigslist, hers does :D

Re:

[PPH]

So we'll be able to find her body after she goes out on a date with Philip Markoff [wikipedia.org].

Re:

[microcentillion]

Except for when the background is a wall in my room. I'd rather not have my location (accurate to three meters) tacked onto it. Not everyone can *look* at a picture and know exactly where you sleep at night.

Re:

[Anonymous Coward]

Right, because someone taking a picture of their breakfast should assume that you know from the shape of their pancakes where they live. When later on in the day they announce that they are going to watch the new harry potter movie now, they really don't expect you to know where they live unless you are already friends with them.

Re:

[wjousts]

Yes, but getting a computer program to recognize the Eiffel Tower in a photo is a lot harder that writing a program to just read the geotagging data. And as others have already pointed out, not all pictures contain obvious location cues, but all geotagged photos do.

Re:

[wjousts]

Most of mine start with "hello"

Re:

[sexconker]

really? every cellphone conversation I hear starts with "How are you?" then maybe:"awesome, what are you doing later/tomorrow night/this weekend?"

Really? Every phone conversation I have starts with "hello".

Re:

[icebike]

Actually, it it starts with "How are you" thats your clue its a salesman.

I swear to god they must teach this in phone-sales school.

Education is good, but don't overhype defaults

[Drakino]

I think educating people about this is good, but it should also be clear that this isn't the default on all platforms. The iPhone for example specifically asks when a user uses the camera if they want to allow the camera program access to the users location. In iOS 4, this was expanded to also provide information right on the prompt about why this info was requested. On or off is presented equally. It's the users choice to geotag photos on the iPhone, and that choice can be changed at any time. From what I understand, other platforms are similar.

iPhoto on the Mac will also default to stripping location data before exporting the photos anywhere. This includes both publishing the photos online, or exporting them to a folder outside the iPhoto data store.

Stripping geotags may not matter

[safetyinnumbers]

At some point in the future photosynth-style image matching could be combined with streetview images to locate a photograph without the need for GPS info.

Simlarly, I expect 'search by face' to become more of an issue than being tagged in a Facebook photo.

Off switches

[Strange Ranger]

The real questions are:
  How much can we trust the various "Off" switches for the multiple "Location Services" on our mobile devices?
 
    How much responsibility do companies have to make sure their devices' default settings don't "invite" crime and invasion of privacy?
 
Who checks to keep these businesses honest?

Re:

[93 Escort Wagon]

So, whats the problem?

You can find out far more about someone by following them, or snooping in their mailbox..
It's not like it's a top secret where people live or who their spouse is...

If you post stuff online, or go out of your house, your taking a risk. It's called life

You shouldn't be reading Slashdot while you're driving. There's a pullout 300 yards ahead of you, on the left - stop there and finish your comments.

Geotagging in photos is off by default

[brunes69]

... at least in Android. You have to explicitly turn it on if you want to do it. So this story is mostly FUD IMO, unless it is iPhone only, in which case it should specifically say "iPhone" instead of "Smartphones"

RTFM,FCTC,T

[RockDoctor]

Smartphones include geotagging features that many people aren't aware of,

In other news ... people who buy complex devices and DON'T Read The Friendly Manual, From Cover To Cover, Twice ... get bitten in their shiny metal asses. Big fucking deal.